Security Bulletin
Summary
There is an information disclosure vulnerability in IBM WebSphere Application Server that affects FastBack for Workstations Central Administration Console.
Vulnerability Details
CVEID: CVE-2016-5986
DESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
FastBack for Workstations Central Administration Console (CAC) 7.1 and 6.3.
Remediation/Fixes
FastBack for Workstations CAC 7.1
The fix for FastBack for Worksations CAC 7.1 will be to apply the Liberty interim fix pack PI67093.
In order to obtain the PI67093 fix, refer to the WAS security bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21990056
Click on the link for Liberty interim fix pack PI67093. Click the FC (Fix Central) download link for 8559-wlp-archive-IFPI67093. Once downloaded, there will be a Readme.txt file and the 8559-wlp-archive-IFPI67093.jar file.
To apply the interim fix, do the following:|
- Stop the TSM FastBack for Workstations Central Administration Console service (CAC_Service)
- Open an elevated command window and direct it to the location of the iFix jar
- Run the command: java -jar 8559-wlp-archive-IFPI62375.jar --installLocation "C:\Program Files\Tivoli\TSM\CAC\wlp" (Default install location shown)
The following launch options are available for the jar:
--installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory in its current location. If your Liberty profile install location is different than "wlp" and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path.
--suppressInfo hides all messages other than confirming the patch has completed or error messages.
- Start TSM FastBack for Workstations Central Administration Console service (CAC_Service) and the fix will become active in your runtime environment.
FastBack for Workstations CAC 6.3
The fix for FastBack for Workstations CAC 6.3 will be to update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 and then apply the WAS interim fix pack PI67093.
Update embedded eWAS to 7.0.0.41
To update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41, click on the following link:
http://www.ibm.com/support/docview.wss?uid=swg21981056
and then download 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak
To update the embedded eWAS, do the following:
- If not already at the CAC 6.3.1.1 version upgrade to this version.
- Stop the Tivoli Service: Tivoli Integrated Portal - V2.2_TIPProfile_Port_16310
- Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\IBM\Tivoli\Tipv2_fbws\WebSphereUpdateInstallerV7) apply the 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak file downloaded earlier
In order to obtain the PI67093 fix, refer to the WAS security bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21990056
Click on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI67093. Click on the Fix Central (FC) download link for 7.0.0.41-WS-WAS-IFPI67093. Once downloaded, there will be a Readme.txt file and a 7.0.0.41-WS-WAS-IFPI67093.pak file.
To apply the interim fix after having upgraded to WAS 7.0.0.41, do the following:
- Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\IBM\Tivoli\Tipv2_fbws\WebSphereUpdateInstallerV7) apply the 7.0.0.41-WS-WAS-IFPI67093.pak file downloaded earlier
- Restart the Tivoli Service or reboot the machine
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
01 November 2016 - Original publish date.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21993009